CVE-2022-1441: 
NixOS vulnerability analysis and mitigation

CVE-2022-1441 affects MP4Box, a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. The vulnerability was discovered in April 2022 and involves a buffer overflow condition in the MP4 file parsing functionality (NVD, CVE).

The vulnerability occurs in the diST_box_read() function when parsing MP4 files. The function allocates a buffer str with a fixed length of 1024 bytes, but the content read from bs is user-controllable without proper length validation, leading to a potential buffer overflow condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to stack overflow due to unlimited length and controllable content, potentially corrupting memory canaries or enabling arbitrary code execution. Since video content is user-controllable, an attacker could craft malicious MP4 files to trigger the buffer overflow (GitHub Issue).

The vulnerability has been fixed by modifying the diST_box_read() function to properly allocate memory based on the size parameter and perform proper bounds checking. The fix was implemented in commit 3dbe11b37d65c8472faf0654410068e5500b3adb. Users should upgrade to the patched version (GitHub Commit, Debian Advisory).